>Hi Mike.
>
>>A couple of questions -- what about web sites that want to stealthily load stuff onto your machine? Avoid them, or does the firewall catch them? And what firewall(s) do you use?
>
>First, I only go to Web sites I know (not to say they couldn't be infected, though).

Recently there have been widespread, successful SQL injection attacks against a range of sites one would think would be well-secured and trustworthy. Another problem is sites that contract to serve up banner ads from 3rd parties; sometimes these 3rd parties are either asleep at the switch or ethically lax. Three times in the last couple of months I've had banner ads attempt to drive-by download XP Antivirus 2008, on high-volume sites that *should* have been completely trustworthy.

>Second, it's the firewall's job to not let anything through. I used to use ZoneAlarm but since I moved to Vista, I've been relying on Windows Firewall. I realize that's a bit of a gamble {g} but thought I'd give it a shot and so far, not a single problem in almost two years.

Hmm, unless it's changed in Vista, Windows Firewall is for incoming traffic only. It won't notify you if your browser makes an outgoing request to pick up a banner ad or malware from a secondary domain.

Having an incoming firewall in place is mandatory if your machine is direct-connected to the Internet. However, no-one should be direct-connecting, everyone should have at least a basic NAT hardware firewall. If you have a corporate firewall in place, the main value of still running incoming firewalls on your LAN boxes is for protection in case one of the other LAN machines gets infected and starts probing your local subnet.

>Interestingly, there's a discussion on this topic right now on the West Wind forum. Here's Rick's thoughts on this: http://www.west-wind.com/wwThreads/default.asp?Thread=2IQ0FCIQ4&MsgId=2IQ157VGY

I generally agree with the referenced article http://www.codinghorror.com/blog/archives/000803.html . The author mainly discusses running as a non-privileged user, and using throwaway VMs and/or image backups to be able to return to a known good, trusted state.

To that I'd add:

- move security software to the perimeter - have gateways or proxies scan your e-mail, Web traffic etc.
- use an alternative browser, or at least avoid IE
- set up a box or VM running Linux or BSD for your Web browsing, or use a Mac - basically, avoid the Windows monoculture

I agree with Rick's point that it's important to practice safe computing. For one thing, it's the only way to avoid or minimize the threat of zero-day attacks. The real difficulty is in training users so they know what "safe computing" is, and to keep them educated as new threats are invented. I think this is what Mike is alluding to when he says he doesn't want to make security a full-time job.

The performance hit of security suites is bad enough, but IMO one of their worst side effects is a false sense of security. Some users running AV think they're invulnerable; they blithely open e-mail attachments and browse dodgy web sites, then they get an expensive shock when some zero-day attack or polymorphic malware slips through.